A computer virus targeting industrial control systems provides a blueprint for a new generation of cyberweapons

Steven Cherry: Hi, this is Steven Cherry for IEEE Spectrum's "This Week in Technology." When it comes to infectious disease, the ideal war is waged selectively. Cancer researchers seek out ways to attack carcinomas while leaving normal cells untouched, in the way that antibiotics target invading bacteria. Soon we may be able to tune ultrasound pulsed lasers to do the same for viruses. And so, in hindsight, it seems inevitable that the longstanding similarity of computer viruses to anatomical ones would bring us to Stuxnet. It was first discovered back in July by a security company in Belarus and named Stuxnet for a string of letters buried in its code. Security experts have been studying Stuxnet all summer.

What they've found is no ordinary virus. Like most digital viruses, Stuxnet infects Windows computers. But, uniquely, Stuxnet will only do damage if it worms its way into a particular industrial control system made by Siemens. These "programmable logic controllers," as they're known, are used to control automated processes in some key industrial settings, including chemical plants, oil refineries, pipelines, and ominously, nuclear power plants.

Experts say that early versions of Stuxnet may have been dispersed as early as 2009. So far, the virus has infected at least 50 000 computers—perhaps as many as 100 000, mostly in Iran, India, Indonesia, and Pakistan. It has shown up in an Iranian nuclear plant in Bushehr and a uranium enrichment facility in Natanz, which has got some experts speculating that the worm was built specifically to sabotage the Iranian nuclear industry.

No one can say who built Stuxnet and why, but one thing's for sure: It's not the work of petty hackers. Analysts are saying it probably took at least six top-notch programmers six months to write it. So what makes Stuxnet so powerful? Now that it's been discovered, what will become of it? And does it herald a new era of cyberwarfare?

My guest today is Ralph Langner, who is an expert in industrial systems security and is the CEO of the German consulting company Langner Communications. Langner was the first independent expert to analyze Stuxnet's code and discover that the worm was designed to attack a specific target. He joins us by phone from Hamburg. Ralph, welcome to the podcast.

Ralph Langner: Oh, hi. Hi, everybody.

Steven Cherry: Ralph, let's start with the programmable logic controllers. How do they work, and how does Stuxnet attack them?

Ralph Langner: First of all, the programmable logic controller [PLC] is the interface between a program and the actual machines that do something useful in the real world. This is not a computer in the sense that we see a Windows operating system or hard disk, et cetera. But you can think of it as a very small computer system that operates in real time, and in a single-tasking mode. This is where the actual attack routine from Stuxnet takes place. And by the way, Steven, to follow up on your introduction, the very interesting part is it's an actual surgical strike that you're seeing here. The Stuxnet program that is downloaded from a Windows PC, where the programmable logic controller first checks the type of PLC. But that's not all. It then continues to check if a specific program is loaded onto that controller, which is really something freaky, and that explains why from around the 100 000 infections that we see, even those with the automation equipment installed, that even there we don't have reported damage. The only sites with reported damage are as you mentioned Bushehr and Natanz, and this can be explained easily by this capability of Stuxnet to check if a specific program is running on the PLC. But it even gets better. Once the rogue ladder logic is on the PLC, it checks for specific program conditions. So it doesn't start right away to do the evil task it's carrying out. It's just sitting put and looking for a specific process condition, so for example, a specific drive to accelerate, and when that condition is reached, then the original ladder logic is no longer carried out, and Stuxnet takes over control.

Steven Cherry: Maybe you could tell us what it was like to find Stuxnet, and what it was like to pick apart that code.

Ralph Langner: Well, Stuxnet got our attention when it became obvious that Stuxnet was doing something to PLCs. And since this is our area of expertise, we thought, well, now we should really start looking at Stuxnet. That was also the point when the antivirus companies seemed to run against the rubber wall. They couldn't make sense out of the purpose of Stuxnet, and this is due to the fact that the actual attack routine is not carried out on a Windows PC. That's carried out on a PLC. So when that happened, we decided to do our own analysis. We obtained the code, we infected our lab environment, and now something funny and strange happened. Actually, we are able to very quickly see Stuxnet's behavior. So when you have lab equipment like we have, which basically only consists of three major components: the SCADA part from Siemens; the programming part, or thematic manager, sometimes also called step 7; and then the most important part, a S7 PLC. When you have this put together, you will see Stuxnet very, very quickly. For example, firing up your Wireshark analyzer, you'll be able to see traffic from Stuxnet within five seconds. So, it got clearer very quickly that Stuxnet really was doing something to the PLC rather than trying to steal data from the SCADA database. All the theories that had been published early on in the research, they turned out to be actually quite misleading. The real damage is done on the PLC.

So, again, you can see the infection process from the rogue driver to the PLC very easily if you are analyzing the wire traffic, and from there we look forward and analyzed the software piece by piece, and the major result was, about two weeks later after we started our analysis, that Stuxnet is really doing code injection on the PLC. If you are a control-system engineer, you'll easily understand, well, that's actually your worst case.

Steven Cherry: I realize this next question is going to take us deeply into the realm of speculation, but it really does seem that the people who designed Stuxnet had an insider's knowledge of PLCs and perhaps even nuclear power plants.

Ralph Langner: Well, you can take that for granted. That's something that is—this is zero speculation here. This is something that you can see from the code analysis, and actually we're talking about insider knowledge in two different areas. We've clearly seen that there is heavy insider knowledge in terms of how does the driver DLL work. How—what is the memory structure of the Siemens PLC? All this is knowledge that is not publicly available. It is not published. It is something that you must research very, very thoroughly, and this will cost you years.

The second area where we clearly see insider knowledge is the attacked process, the attacked installation. So, again, the malicious code is not something generic. It's not denial of service or what you could expect in terms of malicious action just in a blind-shot manner. The attackers have full knowledge of the attacked facility. They have full knowledge about where specific actuators are connected to. They have full knowledge about the specific aggregates that they need to attack. And if you buy the Bushehr scenario, you can then infer that the goal obviously was not to cause a thermonuclear explosion but to destroy some very specific aggregates that—this would be my theory—are very hard to replace in terms of time, so that would set back the whole Iran nuclear power program for at least a year. This is something that you can infer from code analysis, that the attackers had full insider knowledge in these two different areas.

Steven Cherry: It's worth pointing out also that the designers of Stuxnet were also pretty clever about some other things. It didn't take this insider—

Ralph Langner: Yeah, absolutely.

Steven Cherry: So, for example, you know it's not like chemical plants or nuclear plants are connected to the Internet. The transmission of this was very carefully thought out as well.

Ralph Langner: Yeah, that's true. So the distribution we see with Stuxnet is mainly done via infected USB sticks. So, in technical terms, it would be not appropriate to call Stuxnet a worm because Stuxnet does not distribute by self-replication over the Internet, but this—it distributes mostly by infected USB sticks. This is the exact strategy that you would use when attacking an aero jet facility. So just like a nuclear power plant. In this case, it makes most sense to assume that the attack was carried out via the Russian integrator that built the plant. Because if you are familiar with the commissioning of such big plans, you know security in those situations is practically nonexistent, especially IT security. So engineers walk in and out with their notebooks, with their programming devices that they use for programming the PLCs. And those engineers that walk in and out, they easily be lured into picking up infected USB sticks, so this makes very much sense to assume that the attack was performed via the integrator just by making sure that some of their engineers accept infected USB sticks, plug them in their notebooks, go home with their notebooks to their company headquarters, and at some point in time, go with their infected notebooks to the target site. By the way, this also explains all the infections that we see in India, Indonesia, and Pakistan. Because these are also regions where this particular integrator has business.

Steven Cherry: The question presents itself: Does Stuxnet herald a new era of cyberwarfare after all?

Ralph Langner: That's a certain yes. If you remember the situation in Estonia and similar situations, that was mostly about the denial of service attacks and doing something to telecommunications. But in the case of Stuxnet, we are talking about a real cyberweapon, which is something we have never seen before in history. Second, the weapon we are talking about creates physical damage. It's not just a simple DOS, it's not just a nuisance; it really destroys your equipment. Third, in terms of cyberwar, well, actually, we are talking about a military target here. We are not even talking about critical infrastructure, because the Bushehr nuclear power plant is not used to provide the country's electricity needs, and even—it wasn't operational, so you take this together, and you understand what this is: real cyberwar for the first time in history. So, as a matter of fact, as I see it, cyberwar attacks as we have just seen are actually, right now, less likely than before Stuxnet because the element of surprise is missing. But my concern is much bigger. The concern that I have is that with Stuxnet being out in the wild, and with Stuxnet being analyzed down to the last bit, it will get very easy to copy the core attack routines from Stuxnet. So I am afraid that soon we will see this technology in the known malware tool kits, and that will enable every hacker, cracker, and organized criminal terrorist to use exactly this technology. And the targets in that scenario are not limited to nuclear power plants, for example, or military installations. They include, let's say, your wastewater plant or your large automaker. Think of all the big corporations that produce your food, your beverages, all the articles that you purchase on a day-to-day basis.

Steven Cherry: Yeah, so in other words, these programmer logic controllers are all over the place, in every industrial setting, and it's unlikely we would be able to protect all of them from something as simple as a USB thumb-drive infection.

Ralph Langner: Exactly, so this is very important to understand. The products that have been used here—the PLCs in question can be found in any industry that is doing something automated. So, as I said, from the nuclear power plant down to traffic lights, and even the cookie plant around the corner—in all such installations, you'll find the same type of equipment, and this equipment, as we have now seen, is vulnerable.

Steven Cherry: So if I understand you correctly, it would be possible, perhaps, for somebody using the technology of Stuxnet to design a virus that would, say, get into the GM design facilities and create a condition where if a turn was taken at a certain way at a certain speed, the brakes just didn't work at all, and then that might propagate into every car that GM makes for the next year, and then suddenly people start dying taking turns—

Ralph Langner: Well, absolutely. So one problem that we have in industrial cybersecurity is related to product quality, so if you change the process—what the IT security folks call the integrity of information—if you change that in an intelligent way, you can manipulate product quality, and if you do that in an intelligent way, you can even make sure that compromised products go out to the customer. They go out to the market. You might also see food that's contaminated because it was not properly processed, and the quality end control simply got disabled because of rogue coding of the controllers. All that is possible, but you could also do something much more simple. If you're thinking about a company like GM, you can do it, without any insider knowledge, make sure that all their production facilities come to a halt for a couple of days or even weeks. So we are not only talking about bad quality; we are also talking about downtime that might force a company into bankruptcy.

Steven Cherry: As is so often the case, it sounds to me like truth is stranger and much more frightening than fiction.

Ralph Langner: Yeah, I would agree to that.

Steven Cherry: Thank you very much for your time.

Ralph Langner: Well, you're welcome. Bye-bye, Steven.

Steven Cherry: We've been speaking with security consultant Ralph Langner about a sophisticated computer virus called Stuxnet that has infected thousands of computers in search of a single mysterious target. For IEEE Spectrum's "This Week in Technology," I'm Steven Cherry.